NAVANEM
CVE-2022-26134⚡ exploited in the wild

Atlassian Confluence, unauthenticated OGNL injection RCE

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance.

Overview

CVE-2022-26134 is a critical unauthenticated OGNL (Object-Graph Navigation Language) injection vulnerability affecting Atlassian Confluence Server and Data Center. This flaw allows a remote, unauthenticated attacker to execute arbitrary code on vulnerable Confluence instances via a specially crafted URL. The vulnerability was exploited as a zero-day in the wild starting in May 2022, with public proof-of-concept code released within 48 hours of Atlassian's disclosure on June 2, 2022.

Technical Details

The vulnerability exists in the way Confluence Server and Data Center process certain URL paths. An attacker can inject malicious OGNL expressions through a crafted HTTP request, which are then evaluated by the server. Because OGNL allows interaction with Java objects and system commands, successful exploitation enables arbitrary Java code execution and operating system command execution.

The attack requires only a single GET request with no authentication, making it trivially exploitable. The injected code runs with the privileges of the Confluence service account, typically providing significant access to the underlying system. Security firm Volexity discovered and reported active exploitation before Atlassian had a patch available, classifying this as a true zero-day attack.

Impact

The impact of this vulnerability is severe. Confluence instances often contain sensitive organizational data including documentation, runbooks, customer information, and IT credentials. Successful exploitation grants attackers:

  • Full remote code execution on the Confluence server
  • Access to all data stored within Confluence
  • Potential lateral movement within the network
  • Ability to deploy webshells, cryptocurrency miners, or ransomware

Mass exploitation occurred within days of public disclosure. Attackers deployed BEHINDER webshells, in-memory implants, coin miners, and conducted ransomware reconnaissance across vulnerable internet-facing instances.

Mitigation

  1. Patch immediately to fixed Confluence versions: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1, or later
  2. Block external access to Confluence if possible; restrict access to VPN-only
  3. Consider migration from Confluence Server (EOL February 2024) to Data Center or Atlassian Cloud
  4. Review Atlassian's security advisory for temporary mitigations if immediate patching is not possible

Detection

  1. Hunt for Volexity-published indicators of compromise, including BEHINDER webshell artifacts and in-memory implants
  2. Review web server access logs for suspicious URL patterns containing OGNL expressions
  3. Monitor for unexpected child processes spawned by the Confluence Java process
  4. Check for newly created or modified JSP files in Confluence directories